title: Portable Executable Injection (T1055.002)
id: df00tech-t1055-002
status: experimental
description: "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). Unlike DLL injection, PE injection copies the entire executable image into the target process rather than loading a DLL via LoadLibrary. The displacement of the injected code introduces the additional requirement for functionality to remap memory references."
references:
  - https://attack.mitre.org/techniques/T1055/002/
  - https://df00tech.com/detections/T1055.002
author: df00tech
date: 2026/04/16
tags:
  - attack.t1055.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - EDR agents performing shellcode-based process monitoring and hooking
  - .NET CLR hosting injecting managed code into processes without DLL load events
  - "Game anti-cheat software (EasyAntiCheat, BattlEye) injecting protection code into game processes"
  - Software update agents injecting hotpatch code into running processes
level: high